sasser virus (was Re: [unisog] student fees for cleaning.)

Jason Richardson a00jer1 at
Sat May 8 00:19:48 GMT 2004

I've been NMAP scanning our IP space daily for ports 2535 (later
variants of Bagle), 2745 (earlier variants of Bagle), 31337 (the LSASS
exploit code from last week) and 5554 and 9996 for Sasser.  I usually
find a few of one type or another and block them until the owner can be
notified.  We also have no qualms about protecting the network and our
users by scanning.  My scan for today was clean for all of those ports
for the first time in two weeks - maybe because the students are packing
up to go home today.  I hope to be breathing easier on Monday for the
first time in 4 months.

Jason Richardson, J.D., CISSP, CISM, CNE
Manager, IT Security and Client Development
Enterprise Systems Support
Northern Illinois University
Voice: 815-753-1678
Fax: 815-753-2555
jasrich at

I have been doing scans here at the University of Arkansas for Medical
Sciences. At this posting, we are at 81 possible vulnerable computers
our network, which is down considerably from 300+ two days ago. As far
as scanning policy, we prefer to scan regardless of who owns the box.
Since we own the network, the safety of the network supersedes one or
two broke pc's should they not like being scanned. 


Kevin D. Butler, MCP

Network Security Engineer

University Of Arkansas for Medical Sciences

4301 West Markham, Slot 637

Little Rock, Arkansas 72205

+1 (501) 526-6391 - Wk

+1 (501) 405-8240 - Pgr

5014058240 at - Text Pgr

More information about the unisog mailing list